48ff0eb6eddfcc3686fdfe0a137d9055521dbd8e6df879cc3652d15d2ba85953

Analysis

max time kernel
149s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f039287d954ba25fcb2e2dc570369b0_NeikiAnalytics.exe
Size

2.7MB
MD5

6f039287d954ba25fcb2e2dc570369b0
SHA1

05af7687cda164eb8eba2f563a46487499662297
SHA256

48ff0eb6eddfcc3686fdfe0a137d9055521dbd8e6df879cc3652d15d2ba85953
SHA512

4fba14d4aab0067c741a53d3727299b7a5e60a00795980976c6c9273cf30b57a655b3ca55c8077c39e6ba63e946780f464253f0e9bf7dfe1d1bdc405aac18064
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBs9w4Sx:+R0pI/IQlUoMPdmpSpa4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2624	devoptiec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvD5\\devoptiec.exe"	6f039287d954ba25fcb2e2dc570369b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZSC\\bodaloc.exe"	6f039287d954ba25fcb2e2dc570369b0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
400	6f039287d954ba25fcb2e2dc570369b0_NeikiAnalytics.exe
400	6f039287d954ba25fcb2e2dc570369b0_NeikiAnalytics.exe
400	6f039287d954ba25fcb2e2dc570369b0_NeikiAnalytics.exe
400	6f039287d954ba25fcb2e2dc570369b0_NeikiAnalytics.exe
2624	devoptiec.exe
2624	devoptiec.exe
400	6f039287d954ba25fcb2e2dc570369b0_NeikiAnalytics.exe
400	6f039287d954ba25fcb2e2dc570369b0_NeikiAnalytics.exe
2624	devoptiec.exe
2624	devoptiec.exe
400	6f039287d954ba25fcb2e2dc570369b0_NeikiAnalytics.exe
400	6f039287d954ba25fcb2e2dc570369b0_NeikiAnalytics.exe
2624	devoptiec.exe
2624	devoptiec.exe
400	6f039287d954ba25fcb2e2dc570369b0_NeikiAnalytics.exe
400	6f039287d954ba25fcb2e2dc570369b0_NeikiAnalytics.exe
2624	devoptiec.exe
2624	devoptiec.exe
400	6f039287d954ba25fcb2e2dc570369b0_NeikiAnalytics.exe
400	6f039287d954ba25fcb2e2dc570369b0_NeikiAnalytics.exe
2624	devoptiec.exe
2624	devoptiec.exe
400	6f039287d954ba25fcb2e2dc570369b0_NeikiAnalytics.exe
400	6f039287d954ba25fcb2e2dc570369b0_NeikiAnalytics.exe
2624	devoptiec.exe
2624	devoptiec.exe
400	6f039287d954ba25fcb2e2dc570369b0_NeikiAnalytics.exe
400	6f039287d954ba25fcb2e2dc570369b0_NeikiAnalytics.exe
2624	devoptiec.exe
2624	devoptiec.exe
400	6f039287d954ba25fcb2e2dc570369b0_NeikiAnalytics.exe
400	6f039287d954ba25fcb2e2dc570369b0_NeikiAnalytics.exe
2624	devoptiec.exe
2624	devoptiec.exe
400	6f039287d954ba25fcb2e2dc570369b0_NeikiAnalytics.exe
400	6f039287d954ba25fcb2e2dc570369b0_NeikiAnalytics.exe
2624	devoptiec.exe
2624	devoptiec.exe
400	6f039287d954ba25fcb2e2dc570369b0_NeikiAnalytics.exe
400	6f039287d954ba25fcb2e2dc570369b0_NeikiAnalytics.exe
2624	devoptiec.exe
2624	devoptiec.exe
400	6f039287d954ba25fcb2e2dc570369b0_NeikiAnalytics.exe
400	6f039287d954ba25fcb2e2dc570369b0_NeikiAnalytics.exe
2624	devoptiec.exe
2624	devoptiec.exe
400	6f039287d954ba25fcb2e2dc570369b0_NeikiAnalytics.exe
400	6f039287d954ba25fcb2e2dc570369b0_NeikiAnalytics.exe
2624	devoptiec.exe
2624	devoptiec.exe
400	6f039287d954ba25fcb2e2dc570369b0_NeikiAnalytics.exe
400	6f039287d954ba25fcb2e2dc570369b0_NeikiAnalytics.exe
2624	devoptiec.exe
2624	devoptiec.exe
400	6f039287d954ba25fcb2e2dc570369b0_NeikiAnalytics.exe
400	6f039287d954ba25fcb2e2dc570369b0_NeikiAnalytics.exe
2624	devoptiec.exe
2624	devoptiec.exe
400	6f039287d954ba25fcb2e2dc570369b0_NeikiAnalytics.exe
400	6f039287d954ba25fcb2e2dc570369b0_NeikiAnalytics.exe
2624	devoptiec.exe
2624	devoptiec.exe
400	6f039287d954ba25fcb2e2dc570369b0_NeikiAnalytics.exe
400	6f039287d954ba25fcb2e2dc570369b0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 2624	400	6f039287d954ba25fcb2e2dc570369b0_NeikiAnalytics.exe	84
PID 400 wrote to memory of 2624	400	6f039287d954ba25fcb2e2dc570369b0_NeikiAnalytics.exe	84
PID 400 wrote to memory of 2624	400	6f039287d954ba25fcb2e2dc570369b0_NeikiAnalytics.exe	84

C:\Users\Admin\AppData\Local\Temp\6f039287d954ba25fcb2e2dc570369b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6f039287d954ba25fcb2e2dc570369b0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:400
- C:\SysDrvD5\devoptiec.exe
  C:\SysDrvD5\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZSC\bodaloc.exe

Filesize
2.7MB

MD5
fdcaa8e1a5e299f56f7e31fc4d280245

SHA1
c901d14be6cb792e820fa87b1876a4eacbf31c16

SHA256
85fcd93ee004dfed64ddfff58cfbaa35b9fb65089e42d1bfa4044eaa3b5bc848

SHA512
f5a4688246a5d283582b1b9664eb7dd80d61d8addd666a0a4f4bda0f8e6c49553b8df7616166eb38ba90d3fc033c4dfb38190d69a5983a7dfe6a80454fc760fc

Download Submit
C:\SysDrvD5\devoptiec.exe

Filesize
2.7MB

MD5
efe0e8c5c0b52aa29a598dac4af830f6

SHA1
e74ded0b7f47632299d3643f7bac3b259a76c540

SHA256
e6a11ab4b0179e9e270beae49748dd4c4d6f32edf7b9b847fb16335459c384c6

SHA512
3338f53001f051054e02003b4ca53e36aa1d37651edecacd863c725685523602a4b244f50bea30ec4399b4e06049c81d1cb53a6625898616afac5800e1134f7e

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
c4050220ee34418d51b09686d1cb5237

SHA1
eea63912c75b14bb64542fa2e2ae647b99a1f27b

SHA256
1fc51d0519696c35d9cccc82431e85099fe1fb4fb8b3dbfc380d6e0d06da9e28

SHA512
3aafdb8311918d9e9ed1395986edffbfcfc5b9f890fbcae04af657a0ce52ac1298188c6efcf59e86779f9aa069ee8fa809c760f81e7c5b5c4ee551ba1d385fe2

Download Submit